Shedding Light on Haunted Corners of Information Security

Characterising the fundamental concepts of information security, such as confidentiality and authentication, has proved problematic from the outset and remains controversial to this day. Non-interference was proposed some 25 years ago to give a precise, formal characterisation of the absence of information flows through a system, motivated in large part by the discovery of “covert channels” in access control models such as Bell-LaPadula. Intuitively, it asserts that altering High's interactions with a system should not result in any observable difference in Low's interactions with the system. Superficially it appears to be a very natural and compelling concept but it turns out to harbor some surprising subtleties. Over the years various models of computation have been used to formalise non-interference. Typically these floundered on non-determinism, ”input/output” distinctions, input totality and so forth. In the late 80's and early 90's, process algebras, in particular CSP, were applied to information security. In this talk I will briefly overview this approach and discuss how the concepts and results from process algebra shed light on these haunted corners of non-interference, including the role of non-determinism, unwinding results, composition, refinement and input/output distinctions. In particular, we argue that the absence of information flow can be characterised in terms of process equivalence, itself a delicate and fundamental concept.